Analytic Number Theory

Transcription

1 Analytic Number Theory Henryk Iwaniec and Emmanuel Kowalski Author addresses: Rutgers University address: ETH Zrich address:

2 1991 Mathematics Subject Classification. Primary 11Fxx, 11Lxx, 11Mxx, 11Nxx, 11T23, 11T24, 11R42. Key words and phrases. Analytic number theory, distribution of prime numbers, automorphic forms, L-functions, exponential sums.

3 CHAPTER 11 SUMS OVER FINITE FIELDS Introduction. In this chapter we consider a special type of exponential and character sums, called sometimes complete sums, which can be seen as sums over the elements of a finite field. Although the methods of Chapter 8 can still be applied to the study of such sums, disregarding this special feature, the deepest understanding and the strongest results are obtained when the finite field aspect is taken into account and the powerful techniques of algebraic geometry are brought to bear. We have already encountered in the previous chapters some examples of exponential sums which can be interpreted as sums over finite fields, for example, the quadratic Gauss sums G a (p) = ( x ) ( ax ) e p p or the Kloosterman sums (1.56) S(a, b; p) = x mod p x mod p ( ax + b x ) e. p In this chapter we will study these sums in particular. The culminating point of our presentation is the elementary method of Stepanov which we apply for proving Weil s bound for Kloosterman sums S(a, b; p) 2 p and Hasse s bound for the number of points of an elliptic curve over a finite field. Then we survey briefly, without proofs, the powerful formalism of l-adic cohomology developed by Grothendieck, Deligne, Katz, Laumon and others, hoping to convey a flavor of the tools involved and to give the reader enough knowledge to make at least a preliminary analysis of any exponential sum he or she may encounter in analytic number theory Finite fields. We first recall briefly some facts about finite fields, and establish the notations used in this chapter. For every prime p, the finite ring Z/pZ of residue classes modulo p is a field, which we denote F p. The Galois theory of F p is very easy to describe: for any n 1, there exists a unique (up to isomorphism) field extension of F p of degree n, written F p n. Conversely, any finite field F with q elements is isomorphic (but not canonically) to a unique field F p d, so q = p d, and F admits also a unique finite extension of degree n for any n 1, namely F p dn. Let now F = F q be a finite field with q = p d elements. In most of the chapter, p is fixed and we change notation slightly, denoting by F an algebraic closure of F 269

4 SUMS OVER FINITE FIELDS and by F n F the unique extension of degree n of F for n 1. The context will always indicate clearly that the cardinality of F n is q n and not n. The extension F n /F is a Galois extension, with Galois group G n canonically isomorphic to Z/nZ, the isomorphism being the map Z/nZ G n defined by 1 σ, where σ is the Frobenius automorphism of F n given by σ(x) = x q. Let F be a given algebraic closure of F, so by the above, F = n 1 F n. By Galois theory, for any x F, we have x F σ(x) = x if and only if x q = x and more generally (11.1) x F n σ n (x) = x x qn = x. From this we can deduce that F n is the splitting field of the polynomial X qn X F[X]. More precisely, one can state the following result of Gauss: Lemma For any integer n 1, we have (11.2) P = X qn X d n deg(p )=d where the product ranges over all irreducible monic polynomials P of degree d dividing n. Proof. This is an immediate consequence of the description of finite fields: the roots of the polynomial on the right side (in an algebraic closure) are exactly the elements x F n with multiplicity one and, conversely, every such x has a minimal polynomial which must occur, exactly once, among the polynomials P on the left side. Associated to the extension F n /F are the trace map and the norm map. Because of the above description of the Galois group of F n /F, the trace map Tr = Tr Fn/F : F n F is given by (11.3) Tr (x) = σ i (x) = x qi 0 i n 1 0 i n 1 while the norm map N = N Fn/F : F n F is similarly (11.4) N(x) = 0 i n 1 σ i (x) = 0 i n 1 x qi = x qn 1 q 1. The equations Tr (x) = y and N(x) = y, for a fixed y F are very important. Because the extension F n /F is separable, the equation Tr (x) = y always has a solution. If x 0 is a given solution, then all solutions are in one-to-one correspondence with solutions of Tr (a) = 0, by x = x 0 + a. Moreover, any solution of Tr (a) = 0 is of the form a = σ(b) b = b q b for some b F n, unique up to addition of an element in F. Similarly, for any y F, the equation N(x) = y has a solution, and if x 0 is a given solution, the set of solutions is in one-to-one correspondence with solutions of N(a) = 1, which by Hilbert s Theorem 90 (or by direct proof) are all given by

5 11. SUMS OVER FINITE FIELDS 271 a = σ(b)b 1 = b q 1 for some b F n, unique up to multiplication by an element in F. As the additive group of F is finite, the general theory of characters of a finite abelian group (see Chapter 3) can be applied. Characters of F are called additive characters, and they are all of the form x ψ(ax) for some a F, where ψ is some fixed non-trivial additive character. For instance, let Tr : F Z/pZ be the trace map to the base-field, then (11.5) ψ(x) = e(tr (x)/p) is a non-trivial additive character of F. For a given additive character ψ and a F, we denote by ψ a the character x ψ(ax). Applying the general theory of characters of finite abelian groups, we get the orthogonality relations { q if x = 1, ψ(x) = 0 otherwise ψ (which is used to solve the equation x = 0 in F) and { q if ψ = 1 is the trivial character, ψ(x) = 0 otherwise. x F The description of characters of the multiplicative group F (also called multiplicative characters of F) is not so explicit. The group structure of F is well-known (dating back to Gauss): it is a cyclic group of order q 1. Generators of F are called primitive roots, and there are ϕ(q 1) of them, but no useful formula for a primitive root exists. Fixing one, say z F, one has an isomorphism log : { F Z/(q 1)Z x n such that z n = x and all multiplicative characters of F are expressed as ( a log(x) ) χ(x) = e q 1 for some a Z/(q 1)Z, but such a description is usually of no use in analytic number theory. As examples of multiplicative characters, suppose F = Z/pZ and p 2. Then the Legendre symbol ( x ) x p is a non-trivial quadratic character. In general, if δ (q 1), there is a cyclic group of order δ consisting of characters χ of F of order δ. The orthogonality relations become { q 1 if x = 1, χ(x) = 0 otherwise, χ

6 SUMS OVER FINITE FIELDS (the sum over all multiplicative characters), and { q 1 if χ = 1 is the trivial character, χ(x) = x F 0 otherwise. It is usual to extend multiplicative characters to F by defining χ(0) = 0 if χ 1, and χ(0) = 1 if χ = 1. Notice then that for any δ q 1 the formula (11.6) χ(x) = {y F y δ = x} χ δ =1 (also a particular case of the orthogonality relations for the group F /(F ) d, as described in Chapter 3) is true for all x F Exponential sums. Let F = F q be a finite field with q = p m elements, p a prime. Exponential sums over F can be of various kinds. For the simplest case, consider a polynomial P F[X] and an additive character ψ, and define the sum S(P ) = x F ψ(p (x)). Slightly more generally, take a non-zero rational function f = P/Q F(X) and consider S(f) = ψ(f(x)); x F Q(x) 0 for instance, taking q = p and f(x) = ax + bx 1, we have S(f) = S(a, b; p). Multiplicative characters can also be used, getting sums of the type S χ (f) = χ(f(x)) x F (where the star in means here and henceforth that the summation extends to all x which are not poles of f). For q = p, χ = ( p) (the Legendre symbol) and f(x) Z[X] a cubic polynomial without multiple roots modulo p, we see that S χ (f) is the p-th coefficient a p of the Hasse-Weil zeta function of the elliptic curve with equation y 2 = f(x) (see Section 14.4). Still more generally, one can mix additive and multiplicative characters, and define sums such as (11.7) S χ (f, g) = χ(f(x))ψ(g(x)), x F an example of which is the Salié sum T (a, b; p) defined by T (a, b; p) = ( x ) ( ax + b x ) e p p x mod p which occurs in the Fourier expansion of half-integral weight modular forms; see [I6] for instance. In contrast with the seemingly simpler Kloosterman sums S(a, b; p), the Salié sums T (a, b; p) can be explicitly computed (see Lemma 12.4, and Corollary 21.9 for the uniform distribution of the angles of the Salié sums).

7 11. SUMS OVER FINITE FIELDS 273 To end this list, we mention that all these definitions can again be generalized to sums in more than one variable, and that the summation variables can be restricted to the rational points of an algebraic variety defined over F: some examples will appear in the survey sections of this chapter. The exponential sums which directly arise in analytic number theory are sums over the prime field Z/pZ. However, the deeper understanding naturally requires considering sums over the extension fields F p n. Indeed, the very reason for the success of algebraic methods lies in the fact that an exponential sum over F p doesn t really come alone, but has natural companions over all the extension fields F p n, and it is really the whole family which is investigated and which is the natural object of study. Those companion sums are easily defined: take the most general sum S = S χ (f, g) we have introduced, then for n 1 let (11.8) S n = x F n χ(n Fn/F(f(x)))ψ(Tr Fn/F(g(x))) where we use the multiplicative character χ N and the additive character ψ Tr of F n. All the sums S n are incorporated into a single object, the zeta function of the exponential sum, which is the formal power series Z = Z χ (f, g) C[[T ]] defined by the formula ( Z = exp n 1 S n n T n). Justification for the introduction of the zeta function comes from the following rationality theorem, conjectured by Weil, and proved by Dwork. Theorem 11.2 (Dwork). The zeta function Z is the power series expansion of a rational function; more precisely, there exist coprime polynomials P and Q in C[T ], with P (0) = Q(0) = 1, such that Z = P Q. As a corollary, denote by (α i ) (resp. (β j )) the inverse of the roots (with multiplicity) of P (resp. Q), so P = i (1 α i T ), Q = j (1 β j T ). Then using the power-series expansion 1 log 1 T = n 1 we find that the formula Z = P/Q is equivalent to the formula T n n S n = j β n j i α n i for any n 1, which shows how the various sums S n are related. In particular, note that they satisfy a linear recurrence relation of order d equal to the number deg P + deg Q of roots α i, β j.

8 SUMS OVER FINITE FIELDS Corollary We have for any n 1 the upper bound S n j β j n + i α i n. In particular, (11.9) S j β j + i α i. A common abuse of language is to speak of the α i and β j as the roots of the exponential sum S. We will describe in Section a number of general facts about these roots. In the intervening sections, we will prove Dwork s Theorem and estimate the modulus of the roots in the important special cases of Gauss sums, Kloosterman sums and for the local zeta function of elliptic curves. Remarks. We have called the sums S n, n 1, companions of the original exponential sum S. However, one can consider other companions of S as well. If S involves an additive character, it can also be very useful sometimes to consider S as just one element of the family of sums obtained by varying the additive character, specifically if S = χ(f(x))ψ(g(x)), we also introduce for a F, x F S a = χ(f(x))ψ a (g(x)) = χ(f(x))ψ(ag(x)). x F Estimates on average over a for the first few power moments of S a are often easily derived by elementary means, and they can be of great use in estimating S, even in addition to the methods of algebraic geometry. See the proof of Weil s bound for Kloosterman sums in Section 11.7 and the examples in Section More general types of families have been (and still are) extensively studied by Katz; see for instance [K1] The Hasse-Davenport relation. We consider general Gauss sums over a finite field. Let F = F q be a finite field with q = p m elements, and let ψ be an additive character and χ a multiplicative character of F. The Gauss sum G(χ, ψ) is x F (11.10) G(χ, ψ) = x F χ(x)ψ(x). (recall that χ is extended to F by χ(0) = 1, 0 according to whether χ is trivial or not). When χ is the Legendre symbol, one recovers quadratic Gauss sums. The associated sums over the extensions fields are G n (χ, ψ) = x F n χ(n Fn/F(x))ψ(Tr Fn/F(x)) and the zeta function is ( (11.11) Z(χ, ψ) = exp n 1 G n (χ, ψ) T n). n

9 11. SUMS OVER FINITE FIELDS 275 In this case, Dwork s Theorem was proved by Hasse and Davenport and is known as the Hasse-Davenport Relation. Theorem 11.4 (Hasse-Davenport). Assume χ and ψ are non-trivial. Then we have for any n 1, G n (χ, ψ) = ( G(χ, ψ)) n or equivalently the zeta function is a linear polynomial Z(χ, ψ) = 1 + G(χ, ψ)t. Hence the only root for the Gauss sum is G(χ, ψ) itself. This can be estimated elementarily, as was done for the Gauss sums considered in Chapter 3. Proposition We have G(χ, ψ) = q if neither χ nor ψ is trivial, while { 0 if ψ non-trivial, G(1, ψ) = q if ψ = 1 { 0 if χ non-trivial, G(χ, 1) = q if χ = 1. Proof. The last two statements are immediate, so assume neither χ nor ψ is trivial. We have G(χ, ψ) 2 = χ(x) χ(y)ψ(x)ψ( y) x,y F = z F χ(z) y F ψ((z 1)y) (on writing z = xy 1 ) = q (by orthogonality, applied twice.) We now turn to the proof of the Hasse-Davenport Relation. We consider the field F = F(X) of rational functions on F and the ring R = F[X] of polynomials. Recall that R is a principal ideal domain. For h R of degree d 0, we define the norm N(h) = q d. The zeta function of F is the Dirichlet series (analogous to the Riemann zeta function) ζ F (s) = h R h monic N(h) s. Remark. This could also be written as a sum over the non-zero ideals a in R, ζ F (s) = a N(a) s where N(a) = R/a = N(h) for any polynomial h such that a = (h). But we will work with polynomials to emphasize the elementary spirit here.

10 SUMS OVER FINITE FIELDS The Dirichlet series ζ F (s) converges absolutely for Re (s) > 1. Indeed, putting n(d) = {h R deg(h) = d, h is monic} = q d we obtain immediately ζ F (s) = n(d)q ds = q (1 s)d = (1 q 1 s ) 1. d 0 d 0 On the other hand, unique factorization into irreducible polynomials yields an expression of ζ F as an Euler product ζ F (s) = (1 N(P ) s ) 1 P R P monic irreducible which is convergent for Re (s) > 1. The first step in the proof of the Hasse-Davenport Relation consists of writing the zeta function of Gauss sums as an L-function for the field F. Let H F be the subgroup of rational functions which are quotients of monic polynomials, and G H a subgroup with the property h 1 h 2 G h 1, h 2 G. Then if α : G C is a character of the group G, it can be extended to a totally multiplicative function of the set of monic polynomials h R by putting α(h) = 0 if h G. The corresponding L-function is defined analogously to the classical L-functions by the Dirichlet series L(s, α) = h R h monic α(h)n(h) s = P (1 α(p )N(P ) s ) 1 for Re (s) > 1. For dealing with Gauss sums we consider the subgroup G H of rational functions f defined and non-vanishing at 0. Define a character λ on G by λ(h) = χ(a d )ψ(a 1 ) for h = X d a 1 X d ( 1) d a d R. Clearly λ is multiplicative on monic polynomials, and extends to a character of G. In this case we get the following: h: Lemma We have L(s, λ) = 1 + G(χ, ψ)q s. Proof. We arrange the Dirichlet series for L(s, λ) according to the degree of L(s, λ) = d 0 ( deg(h)=d ) λ(h) q ds and evaluate each term in turn. For d = 0, the only monic polynomial occurring is h = 1, and λ(1) = 1. For d = 1, we have h = X a so that χ(a)ψ(a) = G(χ, ψ). deg(h)=1 λ(h) = a F λ(x a) = a F

11 11. SUMS OVER FINITE FIELDS 277 For any d 2 we have λ(h) = λ(x d a 1 X d ( 1) d a d ) deg(h)=d a 1,...,a d F = q d 2 χ(a d )ψ(a 1 ) = 0 a 1,a d F by orthogonality, because at least one of the characters χ, ψ is non-trivial. On the other hand, appealing to the Euler product we will prove: Lemma We have L(s, λ) = Z(q s ), where Z = Z(χ, ψ) is the zeta function (11.11) associated with Gauss sums. Theorem 11.4 follows from Lemmas 11.6 and Proof of Lemma Taking the logarithmic derivative of the Euler product, we get while, on the other hand, 1 L (s, λ) log q L(s, λ) = P deg(p ) λ(p ) r q rds r 1 = ( d dλ(p ) r) q ns n 1 rd=n P deg(p )=d 1 Z (q s ) log q Z(q s ) = G n (χ, ψ)q ns. n 1 It therefore suffices to prove the formula (11.12) dλ(p ) n/d = G n (χ, ψ) P d=deg(p ) n for n 1, the equality of the logarithmic derivatives being sufficient to imply Lemma 11.7 since both sides are Dirichlet series with leading coefficient 1. To prove (11.12), let P be one of the irreducible polynomials appearing on the left side, of degree d n. Its roots, say x 1,..., x d, are in F n. Fix one root x = x j and write P = X d a 1 X d ( 1) d a d. We get N(x) = (N Fd /F(x)) n/d = a n/d d, Tr (x) = n d Tr F d /F(x) = n d a 1 hence λ(p ) n/d = (χ(a d )ψ(a 1 )) n/d = χ(a n/d n ) d )ψ( d a 1 = χ(n(x))ψ(tr (x)).

12 SUMS OVER FINITE FIELDS Summing over all roots of P we derive dλ(p ) n/d = d χ(n(x i ))ψ(tr (x i )), i=1 and summing over all P with deg(p ) n, we get (11.12) by Lemma 11.1 since every element in F n will appear exactly once as one of the roots x i for some P The zeta function for Kloosterman sums. Next we consider Kloosterman sums. Let F be a finite field with q = p m elements and this time consider additive characters ψ and ϕ. We define the Kloosterman sum associated to ψ and ϕ by (11.13) S(ψ, ϕ) = x F ψ(x)ϕ(x 1 ), (the minus factor is only for cosmetic reasons). When q = p is prime, and ψ(x) = e(ax/p), ϕ(x) = e(bx/p), we have therefore S(ψ, ϕ) = S(a, b; p). The companion sums over the extension fields F n are S n (ψ, ϕ) = ψ(tr (x))ϕ(tr (x 1 )) x F n and the Kloosterman zeta function is ( Z = Z(ψ, ϕ) = exp n 1 S n (ψ, ϕ) T n). n We will prove Dwork s Theorem in this case, which is due to Carlitz. Theorem Assume that ψ and ϕ are both non-trivial. Then Z(ψ, ϕ) = 1 1 S(ψ, ϕ)t + qt 2. The proof is very similar to that of Theorem We put R = F[X], F = F(X) as before, and consider the same group G F of quotients of monic polynomials defined and non-vanishing at 0. We define a character η : G C by putting η(h) = ψ(a 1 )ϕ(a d 1 /a d ) for a monic polynomial h G, where we write (compare the previous section) h = X d + a 1 X d a d 1 X + a d (with a d 0 since h G). The following computation verifies that η is indeed a character of G: let h = X e + b 1 X e b e 1 X + b e with b e 0, then and hh = X d+e + (a 1 + b 1 )X d+e (a d 1 b e + a d b e 1 )X + a d b e ( η(hh ad 1 b e + a d b ) e 1 ) = ψ(a 1 + b 1 )ϕ a d b e = ψ(a 1 )ϕ(a d 1 /a d )ψ(b 1 )ϕ(b e 1 /b e ) = η(h)η(h ).

13 11. SUMS OVER FINITE FIELDS 279 Recall that we extend η to all h R by putting η(h) = 0 for h G. Lemma For ψ and ψ non-trivial, the L-function associated to η is given by L(s, η) = η(h)n(h) s = 1 S(ψ, ϕ)q s + q 1 2s. h Proof. By arranging terms according to the degree of h, we write L(s, η) = ( ) η(h) q ds d 0 deg(h)=d and evaluate the inner sums. For d = 0, we have only h = 1 and η(1) = 1. For d = 1, we have h = X + a with a 0, hence η(h) = η(x + a) = ψ(a)ϕ(a 1 ) = S(ψ, ϕ). a F a F deg(h)=1 For d = 2, we get deg(h)=2 η(h) = a F η(x 2 + ax + b) = ψ(a)ϕ(ab a F b F b F ( )( ) = q 1 + ψ(a) ϕ(b) = q a F b F by applying twice the orthogonality of characters, since neither ψ nor ϕ is trivial. Finally, for d 3, we get η(h) = η(x d + a 1 X d a d 1 X + a) a F deg(h)=d a 1,...,a d 1 F = q d 3 a 1,a d 1 F a F since there is free summation over a 1 F. ψ(a 1 )ϕ(a d 1 a 1 ) = 0 Lemma For ψ and ϕ non-trivial, we have the identity Z(ψ, ϕ)(q s ) = L(s, η) 1 = This lemma completes the proof of Theorem Proof. The L-function has an Euler product 1 ) 1 1 S(ψ, ϕ)q s + q 1 2s. L(s, η) = P (1 η(p )N(P ) s ) 1. Taking the logarithmic derivative we get 1 L (s, η) log q L(s, η) = P deg(p ) r 1 = ( d n 1 rd=n η(p ) r r deg(p )s q deg(p )=r η(p ) r) q ns

14 SUMS OVER FINITE FIELDS and as before it suffices to prove the formula (11.14) dη(p ) n/d = S n (ψ, ϕ) d=deg(p ) n for n 1. Let P = X d + a 1 X d a d 1 X + a d be one of the irreducible polynomials on the left side of (11.14), of degree d n, and x 1,..., x d its roots, which lie in F d. We have for each i, (since a 1 d Xd P (X 1 ) = X d + a d 1 Tr (x i ) = n d Tr F d /F(x i ) = n d a 1 Tr (x 1 i a d X d a 1 d ) and ) = n d Tr F d /F(x 1 i ) = n d a d 1 a d. Hence n ) ( n η(p ) n/d = ψ( d a a ) d 1 1 ϕ = ψ( x i )ϕ( x 1 i ) d a d and summing over the roots x i, then over the polynomials P of degree d n, we obtain (11.14) by Gauss s Lemma again. Theorem 11.8 allows us to factor the Kloosterman zeta function Z(ψ, ϕ) = (1 S(ψ, ϕ)t + qt 2 ) 1 = (1 αt ) 1 (1 βt ) 1 where α and β are complex numbers, and of course α + β = S(ψ, ϕ), αβ = q. In sharp contrast to the case of Gauss sums, however, the roots α and β cannot be explicitly computed. Theorem (Weil). Assume that ψ and ϕ are non-trivial and p 2. Then the roots α and β for the Kloosterman sum S(ψ, ϕ) satisfy α = β = q, and therefore we have (11.15) S(ψ, ϕ) 2 q. We will prove Theorem in the next two sections. Corollary Let a, b, c be integers, c positive. We have (11.16) S(a, b; c) τ(c)(a, b, c) 1/2 c 1/2. Proof. By the twisted multiplicativity (1.59) for Kloosterman sums, it suffices to consider c = p ν with p prime and ν 1. If p ab, we have Ramanujan sums for which the result is easy (see (3.2), (3.3)). Otherwise, the case ν = 1 follows from Theorem for p 3, and for p = 2 one checks immediately that the Kloosterman sums modulo 2 satisfy Theorem 11.11: we have S(1, 1; 2) = 1, and the associated zeta function is therefore Z(T ) = 1+T +2T 2, with roots ( 1±i 7)/4 of modulus 1/ 2. The case p ab and β 2 can be dealt with elementarily; see Exercise 1 of Chapter 12.

15 11. SUMS OVER FINITE FIELDS 281 Exercise 1. Consider a general Kloosterman-Salié sum S(χ; ψ, ϕ) = x F χ(x)ψ(x)ϕ(x 1 ) and its associated companions S n and zeta function Z, where ψ and ϕ are additive characters of F and χ is multiplicative (so χ = 1 is the case of Kloosterman sums). Show that Z = (1 S(χ; ψ, ϕ)q s + χ( a)χ(b)q 1 2s ) 1 where ( Tr (ax) ) ψ(x) = e, ϕ(x) = e p ( Tr (bx) Stepanov s method for hyperelliptic curves. We will prove Theorem by deducing it from the Riemann Hypothesis for certain algebraic curves over finite fields. However, we use Stepanov s elementary method (see [Ste], [Sch], [Bo3]) instead of Weil s arguments. Let F be a finite field with q element, of characteristic p. We will only consider algebraic curves C f over F given by equations of the type (11.17) C f : y 2 = f(x) for some polynomial f F[X] of degree m 3. We assume moreover the following condition (11.18) The polynomial Y 2 f(x) F[X, Y ] is absolutely irreducible (i.e. it is irreducible over the algebraic closure of F). This is a minimal regularity assumption on the curve C f. It is easily seen to be equivalent to the condition that f is not a square in F[X], and we will use it in this form. Remark. Stepanov s method has been refined by Schmidt [Sch] and Bombieri [Bo3] and is capable of handling the general case of the Riemann Hypothesis for curves; the case of curves with equation of the type y d = f(x) is not much harder than the one treated here. We limit ourselves to the curves C f for simplicity, and because it suffices for the application to Kloosterman sums and elliptic curves. Note that curves of the type y 2 = f(x) are instances of so-called hyperelliptic curves, which are quite naturally distinguished among algebraic curves (but not all hyperelliptic curves are of this form; see for instance elliptic curves in characteristics 2 and 3). The problem we consider is that of estimating the number C f (F) of F-rational points of C f, i.e., the number N of solutions (x, y) F 2 to the equation y 2 = f(x). We are especially interested in this question when q is large (typically, as with exponential sums, the polynomial f F[X] is fixed, and we consider the F n -rational points for all n 1), although we will obtain completely explicit inequalities. Theorem Assume that f F[X] satisfies (11.18), and m = deg(f) 3. If q > 4m 2, then N = C f (F) satisfies N q < 8m q. p ).

16 SUMS OVER FINITE FIELDS Clearly we can assume that p > 2, as otherwise the map y y 2 is an automorphism of F and N = q. Stepanov s idea, which was inspired by results of Thue [Thu] in diophantine approximation, is to construct an auxiliary polynomial of degree r, say, having zeros of high multiplicity (at least l, say) at the x-coordinates of points of C f (F). Hence one gets easily the inequality N 2rl 1, the factor two being the highest possible multiplicity of a given x-coordinate among points in C f (F). This inequality turns out to be so strong that it gives the upperbound of the theorem (certainly a surprising fact!). A trick then deduces the lower-bound from this. We first distinguish among the points (x, y) these with y = 0. Let N 0 be the number of distinct zeros of f in F, which is also the number of points (x, 0) C f (F). If (x, y) is a point of C f with y 0, it follows that f(x) is a square in F, which is true if and only if g(x) = 1 where g = f c with c = 1 2 (q 1). Conversely, given x F with g(x) = 1, there are exactly two elements y F with y 2 = f(x). Hence, writing (11.19) N 1 = {x F g(x) = 1} it follows that (11.20) N = N 0 + 2N 1. We will estimate N 1 by following the strategy sketched above, but in order to handle the lower bound later, we generalize slightly and consider for any a F the set (11.21) S a = {x F f(x) = 0 or g(x) = a}. To produce polynomials vanishing to a large order, we wish to use derivatives to characterize when this occurs. In characteristic 0, a polynomial P has a zero of order l at x 0 if and only if all the derivatives P (i) with 0 i < l vanish at x 0. In characteristic p > 0, however, this is no longer true if l > p, as the example of the polynomial P = X p shows, since P (k) = 0 for all k 1, in particular, P (p) (0) = 0. A satisfactory solution follows by considering other differential operators. Definition. Let K be any field. For any k 0, the k-th Hasse derivative is the linear operator E k : K[X] K[X] defined by ( ) n E k X n = X n k k for all n 0, and extended to K[X] by linearity. beware that E k E E E). Remark. From the binomial expansion n ( ) n X n = (X a + a) n = a n k (X a) k, k k=0 We also write E = E 1 (but and by linearity, we see that the value of E k P at a point a K, for P K[X], is simply the coefficient of (X a) k in the Taylor expansion of P around a. This

17 11. SUMS OVER FINITE FIELDS 283 explains the properties of the Hasse derivatives, but we cannot take this as a definition, because the values of a polynomial over a finite field do not characterize the polynomial. Note that for K of characteristic p > 0, we get EX p = E 2 X p = = E p 1 X p = 0, but E p X p = 1 0 and we see that the Hasse derivatives detect the zero of X p of order exactly p at 0. This is a general fact, as Lemma will show. Lemma The Hasse derivatives satisfy E k (fg) = k (E j f)(e k j g) j=0 for all f, g K[X], and more generally, (11.22) E k (f 1 f r ) = for f 1,..., f r K[X]. j 1+ +j r=k (E j1 f 1 ) (E jr f r ) Proof. It suffices to consider f = X m, g = X n, and the first formula follows from the identity ( ) n + m k ( )( ) m n = k j k j j=0 which is obvious from the combinatorial interpretation of the binomial coefficients. Then the second formula follows by induction. Corollary (1) For all k, r 0, and all a K, we have ( ) r E k (X a) r = (X a) r k. k (2) For all k, r 0 with k r, and all f, g K[X], we have for some polynomial h such that E k (fg r ) = hg r k deg(h) deg(f) + k deg(g) k. Proof. For (1), we apply (11.22) to f 1 = = f r = X a, getting E k (X a) r = E j1 (X a) E jr (X a) j 1+ +j r=k and only terms with all j i {0, 1}, 1 i r, give non-zero contributions since E j (X a) = 0 for j 2, from the definition. Hence (1) follows. For (2), we observe that if k r, we have j i = 0 for at least r k indices in (11.22), which gives (2). Lemma Let f K[X] and a K. Suppose that (E k f)(a) = 0 for all k < l. Then f has a zero of order l at a, i.e., is divisible by (X a) l.

18 SUMS OVER FINITE FIELDS Proof. Let f = 0 i d α i (X a) i be the Taylor expansion of f around a. By (1) of Corollary 11.15, we obtain E k f = ( ) i α i (X a) i k k k i d and evaluating at a we get α k = 0 for all k < l, hence f is divisible by (X a) l as claimed. We need another technical lemma. Lemma Let K = F be a finite field of characteristic p with q elements, and let r = h(x, X q ) F[X], where h F[X, Y ]. Then E k r = (E k Xh)(X, X q ) for all k < q, where on the right side EX k h denotes the Hasse derivative of h performed with respect to X. Proof. It suffices to consider h = X n Y m, so we must prove that E k X n+mq = (E k X n )X mq. From Lemma 11.14, we get E k X n+mq = k E k j X n E j X mq j=0 so it suffices to show that E j X mq = 0 for 0 < j < q to prove the lemma. But ( ) mq = mq ( ) mq 1 = 0 j j j 1 in characteristic p, and the result follows. We come to the heart of Stepanov s method, the construction of the auxiliary polynomial. Proposition Assume that q > 8m, and let l be an integer satisfying m < l q/8. Then there exists a polynomial r F[X] of degree deg(r) < cl + 2ml(l 1) + mq which has a zero of order at least l at all points x S a (recall c = 1 2 (q 1)). We will look, by the method of indeterminate coefficients, for a polynomial r of the special form (11.23) r = f l (r j + s j g)x jq 0 j<j for some polynomials r j, s j F[X], to be constructed, each of which has degree bounded by c m. Hence such a polynomial r has degree bounded by (11.24) deg(r) lm + c m + cm + Jq (J + m)q. The next lemma is crucial to ensure that r 0. This is where we need the assumption (11.18).

19 11. SUMS OVER FINITE FIELDS 285 Lemma We have r = 0 F[X] if and only if r j = s j = 0 F[X] for all j. Proof. We can assume (by a shift X X + a if necessary) that f(0) 0. Suppose that r = 0 but not all r j, s j are zero; let k be the smallest index for which one of r k, s k is non-zero. Dividing by f l X kq, we get from (11.22) the identity (r j + s j g)x (j k)q = 0 k j<j which we write in the form h 0 + h 1 g = 0, where h 0 = r j X (j k)q, h 1 = k j<j k j<j s j X (j k)q. We square this equation, then multiply both sides by f, getting Since f F[X], we have h 2 0f = h 2 1f q. f(x) q = f(x q ) f(0) (mod X q ) hence rkf 2 s 2 kf(0) (mod X q ). However, the degree s of the polynomials in this congruence are bounded by 2 deg(r k ) + m 2(c m) + m < q, and 2 deg(s k ) < 2(c m) < q, respectively. So there must be equality rk 2f = s2 kf(0), which contradicts the assumption (11.18) that f is not a square in F[X]. We now evaluate the Hasse derivatives of r. Lemma Let k l. Then there exist polynomials r (k) j, s (k) j degree c m + k(m 1) such that E k r = f l k 0 j<j (r (k) j + s (k) j g)x jq. each one of Proof. We can write r = h(x, X q ) where h F[X, Y ] is the polynomial h = f l (r j + s j f c )Y jq. Hence by Lemma 11.17, we have E k r = (E k Xh)(X, X q ) = 0 j J 0 j<j By (2) of Corollary there exist polynomials r (k) j f l k r (k) j and E k (f l+c s j ) = f l k+c s (k) j c m + k(m 1) and deg(s (k) j (E k (f l r j ) + E k (f l+c s j ))X jq. and s (k) j satisfying E k (f l r j ) = ) deg(r j ) + k deg(f) k with deg(r (k) j ) c m + k(m 1). This is the desired result. Recall that we wish r to have zeros of order l at points in S a (see (11.20)). If f(x) = 0, clearly this is the case. So let x S a, with f(x) 0. Applying Lemma

20 SUMS OVER FINITE FIELDS 11.21, we evaluate E k r at a point x S a, using g(x) = a, and most importantly x q = x: E k r(x) = f(x) l k (r (k) j (x) + as (k) j (x))x j 0 j<j = f(x) l k σ (k) (x) where σ (k) F[X] is the polynomial σ (k) = 0 j<j (r (k) j + as (k) j )X j. We can now prove Proposition 11.18: if σ (k) = 0 for all k < l, Lemma shows that r has a zero of order l at all points in S a. The system of equations (11.25) σ (k) = 0, for all k < l is a homogeneous system of linear equations, the unknowns being the coefficients of the polynomials r j, s j, the equations corresponding to the coefficients of the σ (k). We observe that deg(σ (k) ) < c m + k(m 1) + J, so the number of equations does not exceed B = l(c m + J) + 1 2l(l 1)(m 1) while, on the other hand, the number of coefficients of the r j and s j is at least A = 2(c m)j. By choosing J large enough, we can make A > B. Then the system (11.25) has a non-trivial solution, and by Lemma this produces r 0 such that r has zeros of order l at all points x S a. Taking J = l (c + 2m(l 1)) q one can check that A > B (recall that 2c = q 1 and 8l q). The degree of r is bounded by (11.24), which gives Proposition We now prove Stepanov s Theorem First, let a be arbitrary, and apply Proposition Since the auxiliary polynomial r is non-zero and vanishes to order l at points in S a, we have l S a deg(r) cl + 2ml(l 1) + mq so S a c + 2m(l 1) + mql 1. We choose l = 1 + [ q/2], which gives the bound (11.26) S a < c + 4m q. To prove Theorem 11.13, take first a = 1 getting hence the upper bound N 0 + N 1 = S a < q 2 + 4m q (11.27) N = N 0 + 2N 1 < 2(N 0 + N 1 ) < q + 8m q. To get a lower bound, by the factorization X q X = X(X c 1)(X c + 1) we have f(x)(g(x) 1)(g(x) + 1) = 0 for all x F, hence N 0 + N 1 + N 2 = q where N 2 = {x F g(x) = 1}. By (11.26) applied to S 1, we have N 0 + N 2 = S 1 < q 2 + 4m q

21 11. SUMS OVER FINITE FIELDS 287 hence and finally, N 1 = q N 0 N 2 > q 2 4m q, (11.28) N = N 0 + 2N 1 2N 1 > q 8m q. Clearly (11.27) and (11.28) prove Theorem Proof of Weil s bound for Kloosterman sums. Let F be a finite field with q elements, of characteristic p 2. Let ψ be any fixed non-trivial additive character of F. For any additive character ϕ there exists a unique a F such that ϕ = ψ a, hence any Kloosterman sum S(ψ, ϕ) is of the form S(ψ a, ψ b ) = x F ψ(ax + bx 1 ) for some a, b F. We consider a and b as fixed and write g = ax + bx 1. We will prove Weil s bound (11.15) by relating the average of the Kloosterman sums S(ψ a, ψ b ) over ψ to the number of points on an hyperelliptic curve, where the contribution of the trivial character ψ 0 = 1 will be the main term. Lemma For any n 1 and any x F n, we have (11.29) {x F n y q y = x} = ψ ψ(tr(x)) where the sum ranges over all additive characters of F and Tr is the trace F n F. Proof. If Tr (x) = 0, then the equation y q y = x has q solutions exactly, as recalled in Section 11.2, and in this case we have ψ(tr (x)) = 1 for all ψ, hence the right side of (11.29) is also equal to q. On the other hand, if Tr (x) 0, the equation y q y = x has no solution, and the character sum is zero by orthogonality. From this lemma we deduce that S n (ψ a, ψ b ) = ψ(tr g(x)) ψ ψ (11.30) x F n = {(x, y) F n F n y q y = g(x)} = N n, say, for n 1. If ψ = ψ 0, the trivial character, we have S(ψ a, ψ b ) = S(ψ 0, ψ 0 ) = 1 q n. For ψ ψ 0, let α ψ, β ψ be the roots of the Kloosterman sum S(ψ a, ψ b ), so by Theorem 11.8 we have α ψ β ψ = q and for all n 1. We can therefore write S n (ψ a, ψ b ) = α n ψ + β n ψ, N n = q n 1 ψ ψ 0 (α n ψ + β n ψ).

22 SUMS OVER FINITE FIELDS The equation y q y = g(x) does not obviously describe a curve, since g is not a polynomial, but multiplying by x it is equivalent with C a,b : ax 2 (y q y)x + b = 0 (note that x = 0 is not possible since b 0). Because p 2, the number of solutions is equal to the number of solutions of the discriminant equation of this quadratic equation D a,b : (y q y) 2 4ab = v 2, i.e., N n = D a,b (F n ). This is of the form (11.17) with deg(f) = 2q, and because 4ab 0 it satisfies (11.18). Hence by Theorem we have N n q n < 16q 1+n/2 if n is large enough, so that q n > 16q. By (11.30) we get a sharp estimate for the roots α ψ, β ψ, on average 1 (11.31) (αψ n + β n q ψ) 16q n/2 ψ ψ 0 for n large enough. The following simple lemma shows that the individual roots must be of modulus q: Lemma Let ω 1,..., ω r be complex numbers, A, B positive real numbers and assume that r AB n j=1 holds for all integers n large enough. Then ω j B for all j. ω n j Proof. One can do this by hand (using Dirichlet s box principle), but a nice trick gives the result immediately: consider the complex power series f(z) = ( ) ωj n z n = 1 1 ω n 1 j j j z. The hypothesis implies that f converges absolutely in the disc z < B 1, hence f is analytic in this region. In particular, it has no poles there, which means that we must have ω j 1 B 1 for all j. From this lemma applied with A = 16q, B = q, we deduce the upper bounds α ψ q, β ψ q for all ψ ψ 0. Since α ψ β ψ = q, we have in fact α ψ = β ψ = q, and so Theorem is proved. Remarks. (1) We see here twice how crucial the introduction of the companion sums K n is: first because the curve D a,b has very high degree, so Stepanov s bound N q < 8m q is trivial when applied to F itself, and secondly because only by the consideration of all extension fields can we determine the exact order of magnitude of the roots, and obtain Weil s bound S(ψ, ϕ) 2 q with the sharp constant 2. (2) The constant 2 is optimal in Weil s bound for fixed a, b and q. Indeed we have S n (ψ a, ψ b )z n 1 = 1 α ψ z β ψ z. n 1

23 11. SUMS OVER FINITE FIELDS 289 This is a non-zero rational function with poles on the circle z = 1/ q, hence this is its radius of convergence. Therefore lim sup S n (ψ a, ψ b ) 1/n = 1. n + q This means that for any ε > 0 there exist infinitely many n such that S n (ψ a, ψ b ) (2 ε)q n/2. It is conjectured (this follows from the Sato-Tate Conjecture for the angles of Kloosterman sums described in Chapter 21) that the Weil bound is also optimal when a, b are fixed, n = 1, and q = p +. However, this remains very much open. See the remark at the end of the introduction to Section 11.8 for the case of elliptic curves. (3) Using the extension of Stepanov s method to curves of the type y d = f(x) and an analysis of the corresponding zeta function, one can prove the following estimate for complete character sums: Theorem Let F be a finite field with q elements and let χ be a nontrivial multiplicative character of F of order d > 1. Suppose f F[X] has m distinct roots and f is not a d-th power. Then for n 1 we have χ(n(f(x))) (m 1)q n/2. x F n This is Theorem 2C, p. 43, of [Sch]. In particular, we get the following corollary which will be used in proving the Burgess bound for short character sums (Theorem 12.6). Corollary Let χ (mod p) be a non-principal multiplicative character. If one of the classes b v (mod p), v = 1,..., 2r is different from the remaining ones then χ((x + b 1 )... (x + b r )) χ((x + b r+1 )... (x + b 2r )) 2rp 1 2. x(mod p) with Proof. Observe that χ((x + b 1 )... (x + b r )) χ((x + b r+1 )... (x + b 2r ) = χ(f(x)) f(x) = 1 j r (x + b j ) r+1 j 2r (x + b j ) p 2. From the assumption, one of the b i is a root of f of order either 1 or p 2, which is coprime with the order d (p 1) of χ, so we can apply Theorem

24 SUMS OVER FINITE FIELDS The Riemann Hypothesis for elliptic curves over finite fields. A particularly important case of the Riemann Hypothesis is that of elliptic curves. Historically this was first established by Hasse using global methods. In the notation of Section 11.6, this means that we consider curves C f with deg f = 3, so the equation is of the form (11.32) C : y 2 = x 3 + a 2 x 2 + a 4 x + a 6 (the numbering reflects the traditional notation for elliptic curves, see Section 14.4). In contrast with that section, we emphasize that we are considering the affine curve, without the point at infinity. The cubic polynomial f(x) = x 3 + a 2 x 2 + a 4 x + a 6 cannot be a square, so this curve satisfies the assumption (11.18). Moreover, we assume that f does not have a double root; this means that the curve C is smooth (see Section 11.9), and it is a necessary condition for what follows. In this case, Theorem implies that for q > 36 the number N = C(F) satisfies N q < 24 q. In Section we will prove, as before for Kloosterman sums, the rationality and the functional equation of the corresponding zeta function, from which we will deduce: Theorem Let C be an elliptic curve over F given by C : y 2 = x 3 + a 2 x 2 + a 4 x + a 6 with a i F. Then for all n 1 we have (11.33) C(Fn ) q n 2q n/2. Remarks. Theorem is optimal. Indeed letting n +, this follows as for Kloosterman sums from Lemma However, it is also true in the horizontal sense as the following example shows: let E/Q be the elliptic curve with equation E : y 2 = x 3 x which has complex multiplication by Z[i]. As before we consider the affine points, not the projective ones. The discriminant of E is 64 so E can be reduced modulo p to an elliptic curve over Z/pZ for any odd prime p. One shows (for instance by relating E to the curve y 2 = x by changing (x, y) (yx 1, 2x y 2 x 2 ) for (x, y) (0, 0), see e.g. [I4] or [IR]) that E(Z/pZ) = p if p 3 (mod 4) and E(Z/pZ) = p 2a p if p 1 (mod 4), where p = a 2 p + b 2 p with π = a p + ib p 1 (mod 2(1 + i)) (this congruence determines π up to conjugation). For any ε > 0, Theorem 5.36 (generalized slightly to add the congruence condition) shows that there exist infinitely many Gaussian primes π 1 (mod 2(1+i)) such that arg π < ε. Hence Im (π) ε π and for infinitely many p. p E(Z/pZ) = 2 a p 2(1 ε 2 ) p

25 11. SUMS OVER FINITE FIELDS 291 Theorem will be proved in Section after some geometric and algebraic preliminaries. This goes a bit further away from the heart of analytic number theory, yet we include full details because the Hasse bound is also important as being the simplest case of the very important Deligne bound for Fourier coefficients of modular forms. The reader will also certainly appreciate the elegance and beauty of the geometry involved Geometry of elliptic curves. In explaining the special geometric features of elliptic curves, we may as well consider a more general case. So let k be an arbitrary field, k an algebraic closure, and let C be the curve given by the equation C : y 2 = f(x), with f = X 3 + a 2 X 2 + a 4 X + a 6 k[x], identified with the set of solutions (x, y) k 2. We assume as before that f does not have a double root. If k /k is any extension, we let C(k ) be the set of solutions in (k ) 2. The geometry of the elliptic curve becomes much clearer if we work with the projective version of the curve C, namely the curve E in the projective plane given, in homogeneous coordinates (x : y : z), by the equation E : y 2 z = x 3 + a 2 x 2 z + a 4 xz 2 + a 6 z 3. Putting z = 1 gives back C; on the other hand, at infinity, we are only adding one point: taking z = 0 yields x = 0, and all elements (0 : y : 0) (with y 0) correspond to a single point = (0 : 1 : 0) in the projective plane. Notice that this point is rational over the base field k, so that for all extensions k /k we have E(k ) = C(k ) { }. The main property of the curve E that we will use is the beautiful fact that its points form an abelian group, with identity element. Throughout, p denotes points on E, not the characteristic of the field k. The group law (denoted by +) is described by the geometric condition that for any three (distinct) points p 1, p 2 and p 3 in E, we have p 1 + p 2 + p 3 = 0 if and only if the three points are collinear (in the projective plane), and the opposite of a point (x : y : z) is the point (x : y : z) (symmetry with respect to the x-axis). This way one can construct the sum of any two distinct points, by computing the equation of the line joining them, and taking the opposite (in the sense above) of the third intersection point with the curve. That there are exactly three intersection points follows immediately from the fact that the polynomial f is of degree 3. In addition, to compute the double p + p of a point p, the same construction is done with the tangent line at p; the condition that f has no double root ensures that this tangent line always exists. Also, because f k[x], it follows easily that the k -rational points E(k ), for any extension k /k, form a subgroup of E( k). We do not prove those facts here; completely elementary proofs, by computing explicitly the coordinates of the sum p 1 + p 2 of two points according to the recipe above and checking the abelian group axioms (associativity is the only difficulty), are fairly straightforward (see for instance [IR], ch. 18, 19).

26 SUMS OVER FINITE FIELDS We now introduce some further geometric objects related to E or, more generally, to any smooth, projective, algebraic curve 1. Thus consider again a more general case: let k be an algebraically closed field, and let E be a plane algebraic curve over k, i.e. given by an equation f(x, y, z) = 0 for some homogeneous f k[x, Y, Z]. We identify E with the set of points in the projective plane. We assume that E is smooth, which means here that for any point p = (x : y : z) of E, not all partial derivatives f/ X(p), f/ Y (p), f/ Z(p), are zero. In this case the line with equation f f f (p)(x x) + (p)(y y) + (p)(z z) = 0 X Y Z is well-defined and is the tangent line to E at p. For elliptic curves y 2 = f(x), this smoothness condition is equivalent to the fact that the polynomial f has no double roots, by a simple calculation. Let C be the affine curve corresponding to E given by C : f(x, y, 1) = 0 in k 2. Let g(x, Y ) = f(x, Y, 1) k[x, Y ]. We define k[c] = k[x, Y ]/(g). Elements of k[c] can be interpreted as functions on C. We assume that (g) is a prime ideal (this is easily checked in the case of elliptic curves) so that k[c] is an integral domain, and we let k(c) or k(e) be its quotient field, called the function field of C or of E. It is a finite extension of the field k(x) of rational functions over k (for elliptic curves y 2 = f(x), it is a quadratic extension k(x)( f)). We interpret elements of the function field as rational functions on E, so given a point p E and an element ϕ k(e), either ϕ has a pole at p or ϕ(p) k is defined. Now the important point is that because E is smooth it is possible to define the order of ϕ at p for every p in E and every non-zero rational function ϕ k(e). As expected, this order behaves like its analogue for holomorphic functions theory or rational functions. Precisely, for every p R, there is a discrete valuation ord p : k(e) Z, which gives the order of the zero (if 0) or pole (if < 0) of a rational function at p. As a discrete valuation, it satisfies ord p (c) = 0, for c k, ord p (ϕψ) = ord p (ϕ) + ord p (ψ), ord p (ϕ + ψ) min(ord p (ϕ), ord p (ψ)). We sketch a proof (see also [Sil], Prop. II.1.1): consider the ring O p = {ϕ k(e) ϕ is defined at p}. This is a noetherian local domain with maximal ideal m p = {ϕ O p ϕ(p) = 0} and residue field O p /m p k (by evaluation at p). Because E is smooth at p (there is a tangent line), the k-vector space m p /m 2 p is of dimension 1 (because the curve is in the plane, it is of dimension 2; the equation of the tangent line gives a relation, and it is easy to see that m p /m 2 p 0). By Nakayama s Lemma (see for instance [AM], p. 21), it follows that m p is a principal 1 The reader can without damage assume that we are just dealing with the elliptic curves described before, with k = F. In this case every incomplete assertion can be checked by hand.

27 11. SUMS OVER FINITE FIELDS 293 ideal. Let π be a generator; then m d p is generated by π d for any d 1. The order ord p can be defined for ϕ in O p, ϕ 0, by ord p (ϕ) = max{d 0 ϕ m d p} and extended to a homomorphism k(e) Z. The properties above are then quite easy to check. For elliptic curves y 2 = f(x), one can easily see that if p, and p = (x, y) with y 0, it is possible to take π = X x. For p =, one can take π = X/Y, and one finds that ord (x) = 2, ord (y) = 3. Every non-zero element ϕ k(e) has finitely many zeros and poles, and to package them conveniently we define a divisor on E to be a formal finite linear combination with coefficients in Z of symbols [p], one for each point p E. Divisors form a free abelian group Div(E). Two homomorphisms are important. One associates to a non-zero rational function ϕ the divisor (denoted (ϕ)) of its zeros and poles: k(e) Div(E) ϕ (ϕ) = ord p (ϕ) p E and the second gives the degree of a divisor: { Div(E) Z, deg [p] 1. As suggested by the notation, divisors of the type (ϕ) are called principal divisors. Ordinary rational functions have as many zeros as poles, with multiplicity, and the same holds for ϕ k(e) : this means that for all ϕ k(e), we have deg((ϕ)) = 0 (see for instance [Sil], II-3). For elliptic curves y 2 = f(x), an easy proof can be derived by observing that k(e) is a quadratic extension of k(x). The non-trivial element in the Galois group is ϕ ϕ defined by ϕ(p) = ϕ( p). It is clear that ord p (ϕ) = ord p ( ϕ), hence deg(ϕ) = deg( ϕ). Now ϕ ϕ is in k(x). One can check the following compatibility: if ψ k(x), with divisor (ψ) 1 = n i x i (as an ordinary rational function), then its divisor as an element of k(e) is (ψ) = ni ([p i ] + [ p i ]), where p i is any point of E with x-coordinate x i. In particular, 0 = deg((ψ) 1 ) = 2 deg((ψ)). Applying this to ϕ ϕ gives 0 = deg(ϕ ϕ) = deg(ϕ) + deg( ϕ) = 2 deg(ϕ). Definition. 1. Two divisors D 1 and D 2 such that D 1 D 2 = (ϕ) for some ϕ k(e) are called linearly equivalent. This is denoted D 1 D 2, and is an equivalence relation on Div(E). 2. The group Div(E) carries a partial ordering, compatible with the group structure, defined by D 0 if and only if all the coefficients in the formal sum giving D are 0. Such divisors are called effective divisors. 3. For a divisor D Div(E), let L(D) = {0} {ϕ k(e) (ϕ) + D 0}; this is a k-vector space. Let l(d) = dim L(D), an integer or +. If D = n 1 [p 1 ]+...+n k [p k ] m 1 [q 1 ]... m j [q j ] with n i, m i 0, then ϕ L(D), ϕ 0, means simply that ϕ has